Reputation: 43
Apigee - How to block access to paths that aren't explicitly defined as resources
I have an Apigee proxy for a backend API. If I define no resources for the API, my proxy simply acts as a pass-through. How can I block all paths by default EXCEPT for those that I explicitly allow by defining as resources?
For example, I have 20 domain objects and 4 CRUD methods on each. That's 80 potential resources. I only want to allow my developer to access, say, 10 of these resources. How can I easily block access to the other 70?
I guess what I'm asking is how to take a least-privilege approach to exposing my backend services to my developer?
Upvotes: 2
Views: 1570
Answers (4)
Reputation: 1838
Define an invalid path to trap those requests and raise a fault policy with the following definition:
<Flows>
<Flow name="Purchase Item Details">
<Description/>
<Request>
<Step>
</Step>
</Request>
<Response/>
<Condition>(proxy.pathsuffix MatchesPath "/{purchase_id}") and (request.verb = "GET")</Condition>
</Flow>
<Flow name="Invalid Path"> <!-- THE MAGIC STARTS HERE -->
<Description>Invalid Path</Description>
<Request>
<Step>
<Name>raisefault-invalidpath</Name> <!-- RIGHT HERE -->
<FaultRules/>
</Step>
</Request>
<Response/>
<Condition>(proxy.pathsuffix MatchesPath "/**") and (request.verb = "GET") <!--*** RIGHT HERE *** --></Condition>
</Flow>
</Flows>
The way it works is that it will try to catch the resources listed above from "Invalid Path" flow, in example above: it'll try to match /basepath/{purchase_id}, then if no resource is found, the second flow will act as a catch all by raising the fault and returning a response back to the client.
Upvotes: 1
Reputation: 98
Without having to trouble yourself with products, you can create a conditional flow that listens on your root of your uri (typically this means there is no condition defined within the flow). That flow can have a single policy that raises a fault, typically you would set the response code of this fault to a 404 and a message that says the resource they are looking for does not exist.
Upvotes: 0
Reputation: 96
Another approach is basically to control the access using API Product, Developer and Developer apps. Please follow this document to get the basic understanding: http://apigee.com/docs/gateway-services/content/overview-1. Please let me know if you need any help.
Thanks, Archendra
Upvotes: 1
Reputation: 1580
You should be able to do this through the use of API resources. Information for this can be found at: http://apigee.com/docs/gateway-services/content/uri-based-configurations.
Upvotes: 1
Related Questions
- Swagger: disabling security on one particular path
- How to return 404 if path starts with '/api' and there is a file mapped as fallback?
- Restriction on path(s) which can be accessed from Cloud Endpoint portal by specific users
- How to protect the /api route when using Swagger
- Restricting an api resource on user level in IdentityServer4
- REST API - How to restrict access to resources by role?
- Apigee - how to restrict resource in product via verb
- How to stop consumers from hitting invalid resources in APIGee API
- How do I block access to certain API resources on Apigee
- Setting user specific permissions on Apigee